From ade6aaba0d096da4cbadd874358f256f010e7774 Mon Sep 17 00:00:00 2001 From: Matt Clark Date: Thu, 18 Jun 2026 16:06:59 -0700 Subject: [PATCH 1/2] Fix CreateContainerConfigError by using numeric UID in Dockerfile (OHSS-55168) --- build/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index d10e304ba..d3800e901 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -16,11 +16,9 @@ COPY pkg/ pkg/ # Build RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -mod=mod -a -o manager main.go -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8-1780378819 WORKDIR / COPY --from=builder /workspace/manager . -USER nonroot:nonroot +USER 65534:65534 ENTRYPOINT ["/manager"] From 4b82570e53c0863ff2a5b0fdba5fe9927c1b4232 Mon Sep 17 00:00:00 2001 From: Matt Clark Date: Thu, 18 Jun 2026 16:29:55 -0700 Subject: [PATCH 2/2] Update boilerplate --- .ci-operator.yaml | 2 +- OWNERS_ALIASES | 2 - boilerplate/_data/backing-image-tag | 2 +- boilerplate/_data/last-boilerplate-commit | 2 +- boilerplate/_lib/container-make | 7 +- boilerplate/_lib/subscriber-propose-update | 141 ++++++++++++++---- boilerplate/openshift/golang-osd-e2e/update | 11 +- .../golang-osd-operator/OWNERS_ALIASES | 2 - .../golang-osd-operator/dependabot.yml | 5 + .../golang-osd-operator/docs/pre-commit.md | 11 +- build/Dockerfile | 4 +- build/Dockerfile.olm-registry | 2 +- test/e2e/Dockerfile | 2 +- 13 files changed, 143 insertions(+), 50 deletions(-) diff --git a/.ci-operator.yaml b/.ci-operator.yaml index 188626d79..645d280a7 100644 --- a/.ci-operator.yaml +++ b/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: boilerplate namespace: openshift - tag: image-v8.3.6 + tag: image-v8.4.0 diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 7fddbfa2f..bf1a91d0c 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -26,7 +26,6 @@ aliases: - cjnovak98 srep-functional-team-hulk: - ravitri - - devppratik - Tafhim - tkong-redhat - TheUndeadKing @@ -81,7 +80,6 @@ aliases: - ravitri srep-team-leads: - rafael-azevedo - - iamkirkbater - dustman9000 - bmeng - typeid diff --git a/boilerplate/_data/backing-image-tag b/boilerplate/_data/backing-image-tag index ca21d244a..5598e1796 100644 --- a/boilerplate/_data/backing-image-tag +++ b/boilerplate/_data/backing-image-tag @@ -1 +1 @@ -image-v8.3.6 +image-v8.4.0 diff --git a/boilerplate/_data/last-boilerplate-commit b/boilerplate/_data/last-boilerplate-commit index e1285a818..5af2696b1 100644 --- a/boilerplate/_data/last-boilerplate-commit +++ b/boilerplate/_data/last-boilerplate-commit @@ -1 +1 @@ -1cb129aed5a91f2098f70c0e141561e00b1e16fc +a2d5909871fcc9a363b131d31b05f941841941c3 diff --git a/boilerplate/_lib/container-make b/boilerplate/_lib/container-make index 77834586d..8da20031a 100755 --- a/boilerplate/_lib/container-make +++ b/boilerplate/_lib/container-make @@ -29,12 +29,14 @@ if [[ "${CONTAINER_ENGINE##*/}" == "podman" ]] && [[ $OSTYPE == *"linux"* ]]; th else CE_OPTS="${CE_OPTS} -v $REPO_ROOT:$CONTAINER_MOUNT" fi -container_id=$($CONTAINER_ENGINE run -d ${CE_OPTS} $IMAGE_PULL_PATH sleep infinity) +container_id=$($CONTAINER_ENGINE run --rm -d ${CE_OPTS} $IMAGE_PULL_PATH sleep infinity) if [[ $? -ne 0 ]] || [[ -z "$container_id" ]]; then err "Couldn't start detached container" fi +trap "$CONTAINER_ENGINE stop $container_id >/dev/null 2>&1" EXIT + # Now run our `make` command in it with the right UID and working directory args="exec -it -u $(id -u):0 -w $CONTAINER_MOUNT $container_id" banner "Running: make $@" @@ -52,6 +54,9 @@ if [[ $rc -ne 0 ]]; then fi fi +# Disarm the interrupt trap -- normal cleanup handles it from here +trap - EXIT + # Finally, remove the container banner "Cleaning up the container" $CONTAINER_ENGINE rm -f $container_id >/dev/null diff --git a/boilerplate/_lib/subscriber-propose-update b/boilerplate/_lib/subscriber-propose-update index f3b06ef20..4ac512569 100755 --- a/boilerplate/_lib/subscriber-propose-update +++ b/boilerplate/_lib/subscriber-propose-update @@ -25,7 +25,7 @@ Quirks and Limitations: - Is still slightly interactive, because 'gh pr create' likes to ask questions about your origin and upstream. EOF - exit -1 + exit 1 } source $REPO_ROOT/boilerplate/_lib/subscriber.sh @@ -34,47 +34,101 @@ source $REPO_ROOT/boilerplate/_lib/subscriber.sh [[ $# -eq 0 ]] && usage TMPD=$(mktemp -d) +echo $TMPD; trap "rm -fr $TMPD" EXIT +run_step() { + local title=$1 + local log_file="$TMPD/$title.log" + log_file=$(tr '[:upper:]' '[:lower:]' <<< "$log_file") + log_file=$(tr ' ' '-' <<< "$log_file") + shift + + if [[ $1 != "--" ]]; then + echo "ERR: expected '--' but got '$1'" + exit 1 + fi + shift + echo -n "$title... " + + if ! "$@" > "$log_file" 2>&1; then + echo " FAILED" + echo "!!!" + echo "!!! Boilerplate update failed for $subscriber" + echo "!!!" + echo "" + cat "$log_file" + exit 1 + fi + echo " DONE" +} + +sync_main() { + local main_branch=$1 + shift + + git pull upstream $main_branch + git push origin $main_branch +} + +git_clean_and_push() { + local branch=$1 + shift + + git push --delete origin $branch || true + git push -u origin $branch +} + propose_update() { local subscriber=$1 local proj=${subscriber#*/} - if [[ -z "$DRY_RUN" ]]; then - echo "DRY RUN: Would propose update for $subscriber" - return 0 - fi - ( # Clone my fork of the subscriber repo cd $TMPD # This # - uses the existing fork if one exists # - sets 'origin' and 'upstream' remotes - gh repo fork $subscriber --clone=true --remote=true + # only clones the default branch to save disk space and time + + run_step "Creating fork" -- gh repo fork $subscriber --clone=true --default-branch-only cd $proj - # Current branch is 'master' or 'main' - cur_branch=$(current_branch .) - # Make sure our origin is synced with upstream, so our update - # commit is based off of the latest code. - # WARNING: This changes your fork! - git pull upstream $cur_branch - git push origin $cur_branch - - # Create the update commit - make boilerplate-update - make boilerplate-commit - - # And create the PR - # TODO: This is interactive. How do we tell gh "Yes, please use - # upstream as upstream and origin as origin?" - gh pr create -f + # Current branch is 'master' or 'main' or 'trunk' + main_branch=$(current_branch .) + run_step "Syncing Fork" -- sync_main $main_branch + # run_step "Pushing fork" -- git push origin $main_branch + + # Create the update commit - only cat logs if something goes wrong. + run_step "Updating boilerplate" -- make boilerplate-update + run_step "Committing boilerplate update" -- make boilerplate-commit + + boilerplate_branch=$(git rev-parse --abbrev-ref HEAD) + # By pushing to the origin boilerplate branch explicitly before opening a PR, + # we make don't get prompted for the branch to push to. + # If we still find that it's giving us an interactive prompt, we can otherwise + # use `gh api` to create the PR programmatically. + if [[ "$boilerplate_branch" == "$main_branch" ]]; then + echo "CRITICAL ERROR: boilerplate branch '$boilerplate_branch' is the same as main branch '$main_branch'" + echo "If you see this, something has gone terribly wrong" + echo "Skipping" + exit 20 + fi + run_step "pushing update" -- git_clean_and_push $boilerplate_branch + + gh pr create --repo $subscriber -f $DRY_RUN_FLAG ) } bp_master=$(git rev-parse master) +DRY_RUN_FLAG="" +if [[ -z "$DRY_RUN" ]]; then + echo "DRY RUN: ENABLED" + DRY_RUN_FLAG="--dry-run" +fi + + for subscriber in $(subscriber_args "$@"); do # Does this one need an update? @@ -89,14 +143,45 @@ for subscriber in $(subscriber_args "$@"); do continue fi - # Is there already a PR proposed for this level? - existing_pr=$(gh pr list --repo $subscriber | grep -P ":boilerplate-\S+-$bp_master\s") + # Is there already a PR proposed for this commit? + pr_list=$(gh pr list --repo $subscriber --json headRefName,url,number | jq -r '. | map(select(.headRefName | startswith("boilerplate-update--")))') + existing_pr=$(jq -r ".[] | select(.headRefName == \"boilerplate-update--$bp_master\")" <<< "$pr_list") if [[ -n "$existing_pr" ]]; then - echo "Subscriber '$subscriber' already has an open PR:" - echo "https://github.com/$subscriber/pull/$existing_pr" + echo "Subscriber '$subscriber' already has an open PR for this boilerplate commit:" + jq -r .url <<< "$existing_pr" continue fi # Pull the trigger - propose_update "$subscriber" + if ! propose_update "$subscriber"; then + echo "Error: failed to propose update for '$subscriber'" + continue + fi + + new_pr="XXXX" + # Get the new PR URL + # only run if not dry-run - otherwise the new_pr var will be empty + if [[ -n $DRY_RUN ]]; then + new_pr=$(gh pr list --repo $subscriber --json headRefName,number | jq -r ".[] | select(.headRefName == \"boilerplate-update--$bp_master\") | .number") + if [[ -z "$new_pr" ]]; then + echo "error: unable to find new PR for boilerplate update '$bp_master' on subscriber '$subscriber'" + continue + fi + fi + + # Add comments to existing PRs to say they're superseded by this new one + if [[ -n "$pr_list" ]]; then + prs=$(jq -r '. | map(.number) | @tsv' <<< "$pr_list") + echo "Closing old PRs: $prs" + for pr in $prs; do + if [[ -z $DRY_RUN ]]; then + echo "Dry run - would close $pr with comment:" + echo " \"Superseded by #$new_pr.\"" + continue + fi + + gh pr close --repo $subscriber --comment "Superseded by #$new_pr." $pr + done + fi + done diff --git a/boilerplate/openshift/golang-osd-e2e/update b/boilerplate/openshift/golang-osd-e2e/update index b0a516a37..df9b1593c 100755 --- a/boilerplate/openshift/golang-osd-e2e/update +++ b/boilerplate/openshift/golang-osd-e2e/update @@ -12,8 +12,13 @@ source $CONVENTION_ROOT/_lib/common.sh REPO_ROOT=$(git rev-parse --show-toplevel) OPERATOR_NAME=$(sed -n 's/.*OperatorName .*=.*"\([^"]*\)".*/\1/p' "${REPO_ROOT}/config/config.go") +GO_MODULE_PATH=$(awk '/^module / { print $2; exit }' "${REPO_ROOT}/go.mod") E2E_SUITE_DIRECTORY=$REPO_ROOT/test/e2e +if [[ -z "${GO_MODULE_PATH}" ]]; then + err "Could not read module path from ${REPO_ROOT}/go.mod" +fi + # Update operator name in templates OPERATOR_UNDERSCORE_NAME=${OPERATOR_NAME//-/_} OPERATOR_PROPER_NAME=$(echo "$OPERATOR_NAME" | sed 's/-/ /g' | awk '{for(i=1;i<=NF;i++){ $i=toupper(substr($i,1,1)) substr($i,2) }}1') @@ -21,16 +26,16 @@ OPERATOR_NAME_CAMEL_CASE=${OPERATOR_PROPER_NAME// /} mkdir -p "${E2E_SUITE_DIRECTORY}" -E2E_SUITE_BUILDER_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.25-openshift-4.21 +E2E_SUITE_BUILDER_IMAGE=registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.26-openshift-4.22 if [[ -n ${KONFLUX_BUILDS} ]]; then - E2E_SUITE_BUILDER_IMAGE="brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.25" + E2E_SUITE_BUILDER_IMAGE="brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.26" fi echo "syncing ${E2E_SUITE_DIRECTORY}/Dockerfile" tee "${E2E_SUITE_DIRECTORY}/Dockerfile" <